diff options
Diffstat (limited to 'policy/modules/admin/prelink.if')
| -rw-r--r-- | policy/modules/admin/prelink.if | 205 |
1 files changed, 205 insertions, 0 deletions
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if new file mode 100644 index 00000000..20d46979 --- /dev/null +++ b/policy/modules/admin/prelink.if @@ -0,0 +1,205 @@ +## <summary>Prelink ELF shared library mappings.</summary> + +######################################## +## <summary> +## Execute prelink in the prelink domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`prelink_domtrans',` + gen_require(` + type prelink_t, prelink_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, prelink_exec_t, prelink_t) + + ifdef(`hide_broken_symptoms',` + dontaudit prelink_t $1:socket_class_set { read write }; + dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; + ') +') + +######################################## +## <summary> +## Execute prelink in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_exec',` + gen_require(` + type prelink_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, prelink_exec_t) +') + +######################################## +## <summary> +## Execute prelink in the prelink +## domain, and allow the specified role +## the prelink domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`prelink_run',` + gen_require(` + attribute_role prelink_roles; + ') + + prelink_domtrans($1) + roleattribute $2 prelink_roles; +') + +######################################## +## <summary> +## Make the specified file type prelinkable. +## </summary> +## <param name="file_type"> +## <summary> +## File type to be prelinked. +## </summary> +## </param> +# +interface(`prelink_object_file',` + gen_require(` + attribute prelink_object; + ') + + typeattribute $1 prelink_object; +') + +######################################## +## <summary> +## Read prelink cache files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_read_cache',` + gen_require(` + type prelink_cache_t; + ') + + files_search_etc($1) + allow $1 prelink_cache_t:file read_file_perms; +') + +######################################## +## <summary> +## Delete prelink cache files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_delete_cache',` + gen_require(` + type prelink_cache_t; + ') + + files_rw_etc_dirs($1) + allow $1 prelink_cache_t:file delete_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## prelink log files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_manage_log',` + gen_require(` + type prelink_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, prelink_log_t, prelink_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## prelink var_lib files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_manage_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') + +######################################## +## <summary> +## Relabel from prelink lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_relabelfrom_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') + +######################################## +## <summary> +## Relabel prelink lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_relabel_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') |